CISCO Cyberops Associate 5 - Network security and forensic analysis

In

NIST SP 800-86 concepts

  • National Institute of Standards and Technology, Special Publications 800 Series.

    • Evidence collection order

      1. Volatile data collection (can be lost when pulling the cable of the computer).
      2. Data integrity (on ackups and imaging).
      3. Data preservarion.
          graph LR;
A[Media];
B[Data];
C[Information];
D[Evidence];
E[Report];

A -- collection --> B;
B -- examination --> C;
C -- analysis --> D;
D -- reporting --> E;
D --> A;

Security management concepts

  • Security policies: document that spells out the rules, expectations, and approachto maintain the confidentiality, integrity, and availability of data.
    • Asset management:
      • Every sigle asset should be accounted for.
      • Asset in compliance.
      • Response when out of compliance.
    • Configuration management:
      • Discovery.
      • Configuration baseline (detect configuration drifts).
      • Assess, alert, report.
      • Remediate.
      • Rely on automation.
    • Mobile device management:
      • Software tool for smartphones, laptops, tablets, IoT devices.
      • Manage, productivity and compliance.
    • Patch management:
      • Starts with aasset management.
      • Identify, adquire, install and verify patches.
      • Correct security flaws and mitigate vulnerabilities.
      • Must not neglect.
      • Balance, usability and availability.
    • Vulnerability management.
      1. Discover (identify).
      2. Prioritize (handle list).
      3. Assess (only mitigation, or remdiation).
      4. Remediate.
      5. Verify.
      6. Report.

SOC metrics and scope analysis

  • People in the SOC (escalation model):
    • Tier 1: alert analyst (front line response):
      • Monitoring incidents.
      • Open tickets.
      • Basic threat mitigation.
    • Tier 2: incident responder (review for indicator, try some remediation):
      • Deep investigation.
      • Advice.
      • Recommend action.
    • Tier 3: subject matter expert (SME) or Hunter:
      • Knowledge.
      • Hunt trheats.
      • Prevention (pass this info back to Tier 1 and Tier 2).
  • Goal SOC metrics:
    • Criteria:
      • Speed.
      • Focus.
      • Accuracy.
    • Goals:
      • Understand identify risks.
      • Meassure effectiveness.
      • Optimize resources.
      • Investment allocation.
    • Metrics:
      • Time to detect (MTTD).
      • Time to response (MTTR).
      • Time to control.
      • Time to contain.

Protected data in a network

  • Personal, privacy and protected:
    • PII (Person Identifiable Information): it can lead back to real person.
    • PSI (Privacy Sensitive Information): “you choose what information you want to reveal”.
    • PHI (Protected Health information): can lead to discrimination.
  • Intellectual property (“creation of the mind”):
    • Inventions.
    • Literary and artistic works.
    • Symbols, names, images.
    • Designs used in commerce.

Network and server profiling elements

Set baseline, and heck things out of the norm.

  • Network profiling:
    • Total throughput (e.g. saturation = DDoS).
    • Session duration (e.g. connection during off-hours).
    • Ports used (e.g. ports allowed).
    • Critical assets address space (e.g. having server ranges, if you notice a client on one of those ranges, it is abnormal).
  • Server profiling:
    • Listening ports.
    • Logged in users, service accounts.
    • Running processes.
    • Running tasks.
  • Profiling tools:
    • Baselines.
    • Policies (e.g. asset, configuration, vulnerability).
    • Wireshark, nmap, netstat.
    • Logs.

Integrate forensic elements into incident analysis

  • NIST SP-800-61 Revision 2.

    • Incidents:

      • Data breach.
      • Provacy breach.
      • Physical breach.
      • Missing assets.

    • Steps of incident handing (by coordination and incident-reponse teams flow):

          graph LR;
A[fa:fa-shield Preparation];
B[fa:fa-magnifying-glass Detection, analysis];
C[fa:fa-truck-medical Containment, eradication, recovery];
D[fa:fa-road Post-indicent activity];

A --> B;
B --> C;
C --> B;
C --> D;
D --> A;
      1. Preparation:
        • “Readiness”.
        • Communication and facilities.
        • Hadrware and software.
        • Documentation.
        • Images.
      2. Detection and analysis:
        • Determine incident ocurred.
        • Prioritize handling.
        • Report incident to stakeholders.
      3. Containment, eradication, recovery:
        • Limits damage.
        • Acquire and preserve evidence.
        • Eradicate.
        • Recovery.
      4. Post-incident analysis:
        • Lessons learned.
        • Learn to improve.
        • Report.

    • Sharing information with other parties

          graph LR;
A[Incident response team];
B[Other ncident response team];
C[Internet reporters];
D[Internet service providers];
E[Customers, Constituents and media];
F[InteSoftware and support vendores];
G[Law enforcement agencies]

A --> B;
A --> C;
A --> D;
A --> E;
A --> F;
A --> G;

Elements of an IRP

  • Incident reponse plan (IRP) according to NIST SP-800-61 Revision 2 (with National Footbal League analogy):
    • Leadership (head coach):
      • Mission.
      • Strategies and goals.
      • Senior management approval.
    • Organizational approach (ofensive and defensive coordinators):
      • Organizational approach to incident response.
    • Resource mobilitazion (special teams coach):
      • How the incident response team will communicate with the rest of the organization and with other organizations.
      • Metrics for measuring the incident response capability and its effectiveness.
    • Incident reponse plan (playbook):
      • Roadmap for maturing the incident response capability.
      • How the program fits into the overall organization.